PatientTrac Surgery Privacy Policy

Privacy Policy

Last updated: June 2026
HIPAA Notice: PatientTrac Surgery is a covered entity's software platform. All protected health information (PHI) is handled in accordance with HIPAA Privacy Rule (45 CFR Part 164). This policy supplements, and does not replace, your organization's Notice of Privacy Practices.

Information We Collect

PatientTrac Surgery collects clinical documentation data entered by authorized healthcare providers, including surgical notes, assessments, medication records, and encounter-level clinical data. Patient identifiers are stored only within your organization's Supabase database instance and are never transmitted to third-party AI services.

How We Use Information

Clinical data is used solely to provide surgical documentation, workflow, and clinical decision support services to your organization. AI-assisted features process de-identified, encounter-level data only — patient names, dates of birth, MRNs, and other direct identifiers are stripped before any AI processing occurs.

Data Storage and Security

Data is stored in your organization's dedicated Supabase PostgreSQL instance with row-level security enabled. All data in transit is encrypted via TLS 1.2+. Access requires authenticated JWT tokens validated against your organization's identity provider.

Third-Party Services

PatientTrac Surgery uses Anthropic's Claude API for clinical decision support. AI calls are processed server-side through Netlify Functions; no PHI is transmitted directly from the browser to Anthropic. A Business Associate Agreement (BAA) with Anthropic is required before AI features may be used in clinical settings.

Data Retention

Clinical records are retained in accordance with your organization's retention policies and applicable state law. Typically, surgical records are retained for a minimum of 10 years per state medical board requirements.

Your Rights

Patients have rights regarding their protected health information under HIPAA, including rights of access, amendment, and accounting of disclosures. Contact your organization's Privacy Officer to exercise these rights.

Contact

For privacy-related inquiries, contact your organization's Privacy Officer or submit a request through your facility's standard HIPAA complaint process.